Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to Website Planet about an unencrypted and non-password-protected database that contained 957,434 records. The database belongs to an Ohio-based organization that helps individuals obtain physician‑certified medical marijuana cards. The database held PII, drivers licenses, medical records, documents containing SSNs, and other internal potentially sensitive information.
So, the absolute bare minimum was not followed. Just wide open database containing medical information.
More evidence cannabis needs to be recreational. We can let people use their FSA money for it and/or give a steep discount to people who "really" need it, like cancer patients... but I think a lot of people who bounce between
Anyways, there are a LOT of little fly by night outfits that "help" you get a medical card in many states. It's a joke, and all it does is empower the same type of person who used to be a pill doctor to rent seek, and it's not at all a surprise one had poor data practices.
This seems totally unrelated to whether cannabis should be recreational. If my insurance company leaked my PHI, that would certainly not be evidence that any of my prescriptions should be OTC.
>This seems totally unrelated to whether cannabis should be recreational.
Basically, they only pretend it's "medical" in order to gatekeep and rentseek care. Since they are interested in profit rather than actual services, their systems tend to have many issues.
I mean... if you ask me prescriptions for things like cholesterol or blood pressure should be OTC, benefit outweighs the risk. Nobody is getting high off statins. Imagine how much that would save our healthcare system. Insulin is the one dubious thing because it can be very deadly if misused... and it IS in fact OTC because it can be deadly if unavailable, benefit outweighs the risk.
Insulin is very much not "the one" dubious thing. There are very many things which are prescribed these have abuse potential and which could be deadly if misused.
I mean, fun story time; back in 2014 my dad's house was broken into, and among other things they stole was a bottle of a benzo, and while most of my dad's medications were untouched they stole his blood pressure meds.
As I was opining this to a colleague, another employee that was within earshot explained that no, for certain things it can 'enhance' the high... go figure.
Despite some of the discourse there are some long term side-effects (though it seems mostly especially bad for adolescents where stopping consumption does not revert the impact on cognitive function): https://en.m.wikipedia.org/wiki/Long-term_effects_of_cannabi...
Then it's a societal choice between the benefits of easier access to it for medical use (non-OTC drugs are harder to get when you need them) plus lower burden on law enforcement when it does not have to deal with this anymore, and the opportunity cost to society when some people don't use it responsibly and waste their chances. I see positives and negatives for both choices.
(I don't believe other drugs being legal is an argument, alcohol and tobacco wouldn't be legal if discovered today but because they have widespread use it's impossible to forbid them)
Cannabis is widely used today. Half of US adults have smoked it at one point of their life. 20% regularly smoke it. We are at the point where more people use it than alcohol in the US.
I could get behind this so long as there’s still limits on your person and in public places. Colorado has a great system. However, legalization has only created weed monopolies by abuse of the law language. Essentially making it illegal for smaller shops to compete.
Those same people are the ones contracting out these systems with local governments.
The limits don’t really make sense either. Plenty of people grow for personal use and all of them will be in violation considering the yield from a single outdoor plant could be well over a pound dry.
If you grow for personal use, why are you transporting it? I’m fine with storing as much as you like as home. If it’s legal across the US then this doesn’t really matter at all. I’m talking about limits on your person, for personal use, when not at home, in public. I don’t want to smell like a Rastafarian when I go to work.
ya, here in Canada(caniba), nobody much cared what someone smoked or why, as long as they did it down wind and out of sight since forever, and I have heard irrate little ones admonishing adults "your not supposed to do that around us!" and grown adults eye rolling and moving off....now there are certain parks for the weed heads, and various semi legal stores and some government weed outlets, but as it's not called weed for nothing, millions grow the little they want for personal use, and for people wanting it for medical reasons, there is a vast network of people helping people.
We went through the whole "certified medical canabis" thing, and it collapsed under overwhelming demand, and the impossibility of scaling the management, where the police and courts flat out refused to try and untangle the "legitimate" and "unligitimate", and we are back to what it was in the past with an informal understanding of ....go down wind and out of sight of the kids,thank you
So are people storing these things in a non-HIPAA-compliant way or is this mostly attributable to some other vector that would not have been helped by compliance?
What a terrible leak - med records and marijuana use, especially in some circles - could be very useful blackmail material. :/
HIPAA is not a privacy law, nor even a healthcare law. It's an insurance law. It does not cover medical records generally. It deals strictly with how doctors bill insurance companies, and mandates security for health information being billed about.
For the same reason, health & wellness apps are not generally covered by HIPAA, and in fact quite a few of those exist solely for the purpose of selling medical data to data brokers. Especially ones related to women's health.
Medical marijuana dispensaries are not covered entities under HIPAA [0]. The way the law works is weird, but they are not required to comply. All the more reason the federal government needs to catch up with the times on cannabis.
I think there are even more basic table stakes that were missed here well prior to conducting any manner of formal compliance auditing - like unauthenticated users accessing this database!
Nearly a million records, which appear to be linked to a medical-cannabis-card company in Ohio, included Social Security numbers, government IDs, health conditions, and more.
Mine once asked if I'd like a referral to a doctor who was quite liberal in approving people for medical cards in my jurisdiction. I said, "And end up being tracked as a known user in a government database? No thanks." Safer on the streets.
Your neighborhood weed guy would never have your personal information, perhaps not even your full name, a nickname would suffice. But I get the point and the pun. It’s all a big charade
One more thing to note here: anybody in this database that is also part of the OPM leaks or holds a federal job (or is a trucker or other non-drug requirement) will now be compromised and subject to blackmail.
If the dots are connected they will lose their jobs. Full stop.
(new account online, new coinbase account online, stuff new account with cash, transfer to coinbase, transfer onchain, swap to monero, wait, access all with new mac address, new wifi, new browser session, or Tor if the services allow)
daily reminder that KYC is a joke, the institutions and enforcement agencies that think it works, don’t know when its not working as long as a real id and ssn and address is used
This isn't meant to be a gotcha or a takedown, as I appreciate that you're one of the few HN users knowledgeable about crypto who isn't a shill or dismissive of crypto out of hand.
For those who aren't familiar with this industry, there are folks whose job it is to solve these problems with KYC being less effective than it ought to be. Many work in industry as devs, and many do the same as part of the Department of Justice or an affiliated agency or approved third party contractor. There are relevant working groups that bring all relevant parties together for operations. I don't want to assume that you don't know this, but you should not make it out like crime is easy, or that it pays. That said, government salaries are criminally low across the board. I can only assume the private sector of this niche pays better, as it can't very well pay much less than the public sector. Why this is the case is absurd, as it is mostly to do with pay scales and levels, and the near-impossibility of paying workers more, even when it's ready money that is already allocated.
You cash out in your personal account by launching a memecoin and buying a tiny bit on launch (or minting extra for yourself)
the baked xmr funds are once again swapped into virgin addresses that all buy your memecoin, with your clean funds you sell your position into the liquidity pool of the pumped coin
it looks the same as any other launch. are they bots, are they retail degens? who knows, pay capital gains tax and move on.
you can modify this by having the virgin addresses with dirty funds launch and pump the coin too, as long as your clean address buys near the beginning and sells into liquidity
this can all be scripted and done with unlimited amounts, a “bundler” can manage many virgin addresses with a nice GUI now, specifically to be multiple buyers and sellers of a launch
you can unlink your clean funds in less (or equally) restrictive ways for other reasons and privacy, but its clean enough to pay taxes on and be free and clear
Sell your mainline crypto for money-money, and declare it on your taxes? Isn't that straightforward to do, nowadays? Not trying to be snarky: I've never been involved in crypto, but I thought I understood it in principle.
Sidenote: The GP's point was an Aha! moment for me about memecoins. I never got why anyone ever bought into these at all, but money laundering makes perfect sense.
but one thing you’re missing is that people dont know which ones will be money laundered - or attract gobs of capital for unknown reasons - and go up in price wildly. so people play at all levels depending on their risk appetite since the profits from a coin being pumped are so wild.
these things launch with a marketcap in the low thousands, and run to marketcaps in the millions and billions for tens of thousands of % gains. its what retail has always wanted from the IPO market, but instead of waiting decades for every rule to slowly change with no sign of the private sector using those rules, they have the crypto ecosystem now and its been a hit.
as far as financial market innovation goes, the liquidity pool code is pretty novel and an active area of research and competition, a candidate of something to graduate to - or intertwine with - the traditional markets
the liquidity pool will get you back into mainline cryptos, you transfer that back to your personal coinbase or any crypto exchange account, sell for your nation’s currency, transfer to your bank account.
can take a few minutes from liquidity pool to your bank account, to a few hours. several days in the worst case.
I did click that -- it didn't have it listed either...
I think I wasn't clear, I wanted to know which database system people were using (i.e. Postgres, Mongo, etc). You can't even run Postgres in a container without a password these days, how could someone do a whole production deployment without a password.
> As legal cannabis has expanded around the United States for both recreational and medical use, companies have amassed troves of data about customers and their transactions.
And that should be treated as a massive liability, where one breach wipes out your company with lawsuits. And the wronged parties can go after the assets of executives and maybe even investors, due to willful criminal negligence.
If there's any justice, the "greed is good" techbro industry will finally be told that the sociopathic combination of systemic surveillance/stalking and gross indifference about even basic security is over.